Absent Member.
Absent Member.
8325 views

500 Internal Server Error when trying to use WebInspect's remote API

Whenever I try to start a scan using WebInspect, I get a 500 Internal Server Error response.  The data being sent is:

 

 

POST /webinspect/scanner HTTP/1.1
Host: webinspect
Accept: */*
Content-Length: 174
Connection: close
Content-Type: application/x-www-form-urlencoded

settingsName=ScanTemplateAudit&overrides={"ScanName":"SSL Checks (192.168.1.100)","StartUrl":"https://192.168.1.100/","PolicyId":"10002","AllowedHosts":["192.168.1.100:443"]}

 

I looked in the Event Viewer on the webinspect host and I see these logging events:

 

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers ScannerController ExecuteAsync

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Action ApiControllerActionSelector SelectAction

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers DefaultHttpControllerActivator Create HP.WebInspect.RemoteControl.Scanner.ScannerController

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers HttpControllerDescriptor CreateController HP.WebInspect.RemoteControl.Scanner.ScannerController

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Action ApiControllerActionSelector SelectAction Selected action 'StartScan(CreateScan data)'

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.ModelBinding FormatterParameterBinding ExecuteBindingAsync Parameter 'data' bound to the value 'HP.WebInspect.RemoteControl.Scanner.CreateScan'

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.ModelBinding HttpActionBinding ExecuteBindingAsync Model state is valid. Values: data=HP.WebInspect.RemoteControl.Scanner.CreateScan

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.ModelBinding HttpActionBinding ExecuteBindingAsync

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.ModelBinding FormatterParameterBinding ExecuteBindingAsync Binding parameter 'data'

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.MessageHandlers CompressionDelegateHandler SendAsync

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.MessageHandlers li SendAsync

 

[9/18/2015 10:07:41 AM][Debug] Request: POST http://webinspect/webinspect/scanner

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Request http://webinspect/webinspect/scanner

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.MessageHandlers CorsMessageHandler SendAsync

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers HttpControllerDescriptor CreateController

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers DefaultHttpControllerActivator Create

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers DefaultHttpControllerSelector SelectController Route='controller:scanner'

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers DefaultHttpControllerSelector SelectController Scanner

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Action ApiControllerActionInvoker InvokeActionAsync Action='StartScan(data=HP.WebInspect.RemoteControl.Scanner.CreateScan)'

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.MessageHandlers CompressionDelegateHandler SendAsync

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Request Content-type='application/json; charset=utf-8', content-length=unknown

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.MessageHandlers CorsMessageHandler SendAsync

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.MessageHandlers li SendAsync

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Net.Http.Formatting JsonMediaTypeFormatter WriteToStreamAsync Value='System.Web.Http.HttpError', type='HttpError', content-type='application/json; charset=utf-8'

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers ScannerController Dispose

 

[9/18/2015 10:07:41 AM][Debug] Response: 500 Internal Server Error

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Net.Http.Formatting JsonMediaTypeFormatter WriteToStreamAsync

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Controllers ScannerController Dispose

 

[9/18/2015 10:07:41 AM][Debug] Error POST http://webinspect/webinspect/scanner System.Web.Http.Action ReflectedHttpActionDescriptor ExecuteAsync Product is not licensed.

 

[9/18/2015 10:07:41 AM][Debug] Error POST http://webinspect/webinspect/scanner System.Web.Http.Action ApiControllerActionInvoker InvokeActionAsync Product is not licensed.

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Web.Http.Action ReflectedHttpActionDescriptor ExecuteAsync Invoking action 'StartScan(data=HP.WebInspect.RemoteControl.Scanner.CreateScan)'

 

[9/18/2015 10:07:41 AM][Debug] Creating scan: 1750a226-fabc-4ed2-a036-3822e3bf0872

 

[9/18/2015 10:07:41 AM][Debug] Error POST http://webinspect/webinspect/scanner System.Web.Http.Controllers ScannerController ExecuteAsync Product is not licensed.

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Net.Http.Formatting JsonMediaTypeFormatter GetPerRequestFormatterInstance Will use same 'JsonMediaTypeFormatter' formatter

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Net.Http.Formatting DefaultContentNegotiator Negotiate Selected formatter='JsonMediaTypeFormatter', content-type='application/json; charset=utf-8'

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Net.Http.Formatting DefaultContentNegotiator Negotiate Type='HttpError', formatters=[JsonMediaTypeFormatterTracer, XmlMediaTypeFormatterTracer, FormUrlEncodedMediaTypeFormatterTracer, FormUrlEncodedMediaTypeFormatterTracer]

 

[9/18/2015 10:07:41 AM][Debug] Info POST http://webinspect/webinspect/scanner System.Net.Http.Formatting JsonMediaTypeFormatter GetPerRequestFormatterInstance Obtaining formatter of type 'JsonMediaTypeFormatter' for type='HttpError', mediaType='application/json; charset=utf-8'

 

Now, I noticed that a few of those events are saying "Product is not licensed", but that makes no sense.  My license is valid and I have no problems running scans with the normal GUI.  It is only when I try to use the remote API that I have any problems.

 

Why does the GUI work, but the remote API doesn't?

Labels (1)
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

I would change the account used to run the WebInspect API Windows Service to be the same account that WebInspect is licensed/Activated under.  I wonder if that would explain the "not licensed" message.

 

 

 

Separately, have you tried a very simple scan request remotely, one without the Overrides included?  The WebInspect Help guide offers a sample of using a cURL script to run scans.  However, it does not show what the resulting HTTP(S) traffic would look like, making it hard to identify if you have extraneous characters in your generating script.

 

For a comparison, here is that sample script edited to appear like your POST traffic.

 

EXAMPLE 1:

curl -d "settingsName=Default&overrides={\"ScanName\":\"SSL Checks (192.168.1.100)\",\"StartUrl\":
\"https://192.168.1.100​/\",\"AllowedHosts\":[\"https://192.168.1.1​00:443\"],\"PolicyId\":10002}" http://webinspectmachinename:8083/webinspect/scanner

 

 

I think you may have incorrectly specified your AllowedHosts parameter as it requires the protocol and slash marks shown below.  However, since the StartURL Host Name matches the AllowedHosts entry, it is superfluous at this time and you should actually remove the AllowedHosts entry as follows.

 

CLEANER EXAMPLE 1:

curl -d "settingsName=Default&overrides={\"ScanName\":\"SSL Checks (192.168.1.100)\",\"StartUrl\":
\"https://192.168.1.100​/\",\"PolicyId\":10002}" http://webinspectmachinename:8083/webinspect/scanner

 

 

Finally, is PolicyId 10002 a custom Policy of yours?  It does not match any of the canned scan Policies that come with WebInspect.  Perhaps you meant the PolicyId 1002 for the XSS Policy?

 

Taken from the Help Guide > Command Line Execution article:

1 = Standard
2 = Assault
3 = SOAP
4 = Quick
5 = Safe
6 = Development
7 = Blank
16 = QA
17 = Application
18 = Platform
1001 = SQL Injection
1002 = Cross-Site Scripting
1003 = OWASP Top 10 Application Security Risks 2007
1004 = All Checks
1005 = Passive
1008 = Critical and High Vulnerabilities
1009 = OWASP Top 10 Application Security Risks 2010
1010 = Aggressive SQL Injection
1011 = NoSQL and Node.js
1012 = OWASP Top 10 Application Security Risks 2013
1013 = Mobile
1014 = OpenSSL Heartbleed
1015 = Apache Struts

 

 

 

 

As a customer, you might also find this resource useful for further investigations.

 

HP Fortify Customers-Only Forums – protect724.hp.com/community/fortify

 

Others:

HP ESP (Fortify) – www.hpenterprisesecurity.com

HP Fortify Security Public User Forums – https://h30499.www3.hp.com/t5/Application-Security/ct-p/sws-AS

HP Fortify Support – https://support.fortify.com & www.hp.com/go/fortifysupport

HP Downloads – http://softwaresupport.hp.com (formerly SSO http://support.openview.hp.com)

HP ESP Training – www.hpenterprisesecurity.com/university


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Absent Member.
Absent Member.

"I would change the account used to run the WebInspect API Windows Service to be the same account that WebInspect is licensed/Activated under.  I wonder if that would explain the "not licensed" message."

 

The ASCMonitor.exe process runs under the same user as the WebInspect.exe process.  The WIRCServer.exe process that gets started runs under the SYSTEM user, which I'm assuming is required for some of the permissions it needs.  Is this incorrect?

 

"CLEANER EXAMPLE 1:

curl -d "settingsName=Default&overrides={\"ScanName\":\"SSL Checks (192.168.1.100)\",\"StartUrl\":
\"https://192.168.1.100​/\",\"PolicyId\":10002}" http://webinspectmachinename:8083/webinspect/scanner"

 

This has the same result.  500 Internal Server Error, "Unlicensed" error in the event log.

 

"Finally, is PolicyId 10002 a custom Policy of yours? "

Yes.

 

0 Likes
Absent Member.. Absent Member..
Absent Member..

This error seems to be back in the new 10.5 release..

 

[1/21/2016 2:35:24 PM][Critical] Product is not licensed.
   at SPI.Scanners.Web.Framework.ScanManager.CreateScan(Guid scanID, String startUrl, IScanSettings isettings, ISecureBase secureBase, Boolean bIsScheduled, Boolean useAppSettingsForDB)
   at HP.WebInspect.RemoteControl.Scanner.ScanTools.CreateScan(ScanSettings settings, SecureBase secureBase)
   at HP.WebInspect.RemoteControl.Scanner.ScannerController.<>c__DisplayClass12.<StartScan>b__11()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Threading.Tasks.TaskHelpersExtensions.<CastToObject>d__3`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Tracing.ITraceWriterExtensions.<TraceBeginEndAsyncCore>d__18`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Tracing.ITraceWriterExtensions.<TraceBeginEndAsyncCore>d__18`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Tracing.Tracers.HttpControllerTracer.<ExecuteAsyncCore>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Tracing.ITraceWriterExtensions.<TraceBeginEndAsyncCore>d__18`1.MoveNext()

It was fixed in the later versions of 10.4..

0 Likes
Micro Focus Expert
Micro Focus Expert

Apparently this was a bug in WebInspect 10.40 and it had been corrected, yet reappeared in 10.50.  Fortify Support has a hot fix release of WebInspect 10.50, but you will need to contact them directly for it.

  • support.fortify.com

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.